I am using aws toolkit for eclipse 2.0. using the options ( window -> preference -> aws toolkit) I have configured IAM/login user api access key id and secret access key. According to our aws configuration, this IAM user has to assume role to view/access any resources in our environment.
I am able to access AWS CLI with different profiles. In a credentials file I define a [profile] section with the aws secret key and access key.
Then in the config file I define a [profile <profile_name>] section and reference it with source_profile=<profile_name>
This doesn't seem to be recognized in AWS Toolkit 2.0 for eclipse? I even tried copying and pasting the profile section from the config file to the credentials file and it still doesn't work?
Does awstk 2.0 not support switching / assuming roles for a login?
Looks like I figured it out with help from an AWS expert. Basically you do 2 things:
generate an AWS STS session token
use the "session token" values in your IDE.
Example:
aws sts assume-role --role-arn --role-session-name --duration-seconds
put in the values generated for these in your eclipse IDE AWS profile:
AccessKeyId
SecretAccessKey
SessionToken
You can also use a SAML assertion by using this command on the AWS CLI
aws sts assume-role-with-saml --role-arn <value> --principal-arn <value> --saml-assertion <value>
Note: the max session length is defined by the role you're using.
Related
Here is information about our technical environment:
Hasura GraphQL Current server version: v2.6.2-pro.1
Hasura CLI version 2.15.0
We log onto the Hasura GraphQL Web UI Console using our Windows Active Directory Login (essentially Single-SignOn SSO) (therefore,
we do not have an admin secret)
However, the official Hasura GraphQL Technical Tutorial Guide only gives examples showing the admin secret being supplied in the Hasura CLI command line console arguments (https://hasura.io/docs/latest/migrations-metadata-seeds/migrations-metadata-setup/)
hasura init demo-project --endpoint https://docs-demo.hasura.app --admin-secret mySecret
How can I go about using Hasura CLI to export metadata via Windows Active Directory Login? (I would be interested in Hasura CLI command line examples).
as of now you’ll have to set an admin secret via environment variables and use that via the CLI. Please file a feature request via Github if you need this so we can get it tracked and prioritized.
On this page, it is explained how to set up workload identity federation and how to use it with the (Python) client libraries.
This is done by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable. However, this does not work for the gcloud SDK itself, as this uses other methods for configuring credentials.
Normally, using a service account key, one would run gcloud auth activate-service-account [ACCOUNT] --key-file=KEY_FILE, but this does not work for workload identity federation credentials.
How can you set up gcloud to use workload identity federation from an OIDC identity provider?
Starting from gcloud SDK version 363.0.0, this can now be done using the --cred-file flag:
gcloud auth login --cred-file=/path/to/workload/identity/config/file
(You might need to add a --brief flag as well)
Note: earlier versions might work as well as it was already present but undocumented before 363.0.0
Source: https://cloud.google.com/sdk/docs/release-notes#36300_2021-11-02
I have an existing instance of Db2 Warehouse on Cloud which is deployed to an org and space. Now, I would like to bind that service to an app for deployment with IBM Cloud Code Engine.
ibmcloud ce application bind --name henriks-app --service-instance myDb2
myDb2 does not exist as IAM resource because it is a CF resource. How would I bind the two together? It seems that I would need to create some form of custom wrapper.
The best way to manually connect services to your Code Engine application is to add service credentials to a Code Engine secret, and then attach that secret to your application using environment variables or volume mounting.
While you're correct that Db2 Warehouse isn't a typical IAM-Enabled service type, based on the IBM Cloud Db2 Warehouse docs, it's possible to create a client connection with Db2 Warehouse using an IAM Service ID & API Key.
Here's how I'd "bind" the Db2 instance to a Code Engine app:
Create a new service ID from the IAM Service IDs page
Under "Assign Access" > "Access service ID additional access" > "IAM Service", you'll find "Db2 Warehouse" as an option, and you can configure exact permissions from there (e.g. which instance(s) to grant permissions to, which roles, etc)
Finish the configuration by clicking "Assign access"
Using the CLI, log in to your account and generate a new API Key, e.g. ibmcloud iam service-api-key-create mydb2key SERVICE_ID_NAME --output JSON > mydb2.json where SERVICE_ID_NAME is the name of the service ID created in Step 1
Target your Code Engine project, then create a new secret using the API Key JSON, e.g. ibmcloud ce secret create --name mydb2 --from-file MYDB2=mydb2.json
Attach the secret to your application as an environment variable, e.g. ibmcloud ce app update --name myapp --env-from-secret mydb2
After the app update goes through, your application will have access to an environment variable named MYDB2, which will have the value of a JSON object string containing your API Key.
You'll find more information about creating secrets and using secrets with applications in the Code Engine docs.
I am using aws toolkit for eclipse 2.0. using the options ( window -> preference -> aws toolkit) I have configured IAM/login user api access key id and secret access key. According to our aws configuration, this IAM user has to assume role to view/access any resources in our environment. I am doing it using aws cli with "–-profile " option. How to do the same thing in aws toolkit for eclipse ?
Looks like I figured it out with help from an AWS expert. Basically you do 2 things:
generate an AWS STS session token
use the "session token" values in your IDE.
Example:
aws sts assume-role --role-arn "value" --role-session-name "value" --duration-seconds "value"
put in the values generated for these in your eclipse IDE AWS profile:
AccessKeyId
SecretAccessKey
SessionToken
You can also use a SAML assertion by using this command on the AWS CLI
aws sts assume-role-with-saml --role-arn "value" --principal-arn "value" --saml-assertion "value"
Note: the max session length is defined by the role you're using.
In order to switch the account you will need to to add the below to your credentials file:
[regular]
aws_access_key_id = xxxxxxxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxx
[dev]
source_profile = regular
role_arn = arn:aws:iam::123456789123:role/RoleName
Once you do that, using AWS Toolkit, you can select "dev" profile and that's it!
I have IBM COS service and able to use Curl command via cli to retrieve objects. I used IAM tokens to retrieve. But how do I let an external web app ex., node access this service?
what value should be there in authorization for external app access?
External apps will come in the form of something like the AWS CLI or any other app that uses either an HTTP library coupled with IBM Cloud Object Storage API or even an SDK for languages like Python, Java or Node.Js
All of the above will ask you for access key and secret key.
You can get both of them from the IBM Cloud console by generating new HMAC Credentials [1]:
Navigate to your Cloud Object storage account
Click on right under Service credentials
Click New credentials button on right
For the "Add Inline Configuration Parameters (Optional)" text box enter the following JSON:
{"HMAC":true}
[1] https://console.bluemix.net/docs/services/cloud-object-storage/iam/service-credentials.html#service-credentials
We'll you could use the ibm-cos-sdk Node library https://www.npmjs.com/package/ibm-cos-sdk. You'll need to use your HMAC credentials.
var config = {
endpoint: '<endpoint>',
ibmAuthEndpoint: 'https://iam.ng.bluemix.net/oidc/token',
serviceInstanceId: '<resource-instance-id>',
accessKeyId: '<HMAC access_key>',
secretAccessKey: '<HMAC secret access key>'
};